cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jayapal Reddy Uradi <jayapalreddy.ur...@citrix.com>
Subject Re: How to create a network offering without firewall?
Date Fri, 28 Jun 2013 02:45:31 GMT
THe problem is there is no source NAT rule added in iptables nat table on router.
Why the source NAT rule is not added on the router ?
In your network ip address do you have source NAT ip ?

Thanks,
Jayapal


On 28-Jun-2013, at 8:06 AM, WXR <474745079@qq.com>
 wrote:

> I try to add the rule "iptables -A FW_OUTBOUND -j ACCEPT" to the vrouter firewall but
unfortunately it takes no effect.
> 
> This is the iptables rules in file "/etc/iptables/rules"
> 
> *nat
> :PREROUTING ACCEPT [0:0]
> :POSTROUTING ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> COMMIT
> *filter
> :INPUT DROP [0:0]
> :FORWARD DROP [0:0]
> :OUTPUT ACCEPT [0:0]
> :FW_OUTBOUND - [0:0]
> -A INPUT -d 224.0.0.18/32 -j ACCEPT
> -A INPUT -d 225.0.0.50/32 -j ACCEPT
> -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -i eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -p icmp -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -i eth0 -p udp -m udp --dport 67 -j ACCEPT
> -A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
> -A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
> -A INPUT -i eth1 -p tcp -m state --state NEW --dport 3922 -j ACCEPT
> -A INPUT -i eth0 -p tcp -m state --state NEW --dport 80 -j ACCEPT
> -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -i eth2 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -i eth0 -o eth0 -m state --state NEW -j ACCEPT
> -A FORWARD -i eth0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -i eth0 -o eth2 -j FW_OUTBOUND
> -I FW_OUTBOUND -m state --state RELATED,ESTABLISHED -j ACCEPT
> COMMIT
> *mangle
> :PREROUTING ACCEPT [0:0]
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :POSTROUTING ACCEPT [0:0]
> -A PREROUTING -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark
> -A POSTROUTING -p udp --dport bootpc -j CHECKSUM --checksum-fill
> COMMIT
> 
> Is there anything wrong?
> 
> 
> 
> ------------------ Original ------------------
> From:  ""<emunoz@intecom.ad>;
> Date:  Thu, Jun 27, 2013 06:40 PM
> To:  "users@cloudstack.apache.org"<users@cloudstack.apache.org>; 
> 
> Subject:  RE: How to create a network offering without firewall?
> 
> 
> 
> I had this issue too some days ago. I solved it by logging into the Virtual Router over
ssh and adding this rule to the Firewall: 
> 
> iptables -A FW_OUTBOUND -j ACCEPT
> 
> I hope this helps.
> 
> Regards
> 
> -----Mensaje original-----
> De: Jayapal Reddy Uradi [mailto:jayapalreddy.uradi@citrix.com] 
> Enviado el: jueves, 27 de junio de 2013 12:37
> Para: <users@cloudstack.apache.org>
> Asunto: Re: How to create a network offering without firewall?
> 
> Is internet accessible from from router ?
> If it is accessible please send router iptables rules on pastebin.com
> 
> Thanks,
> jayapal
> 
> On 27-Jun-2013, at 3:34 PM, WXR <474745079@qq.com>
> wrote:
> 
>> Sorry,the instance can access the vrouter gateway ip ,but can not access the Internet.
>> 
>> 
>> ------------------ Original ------------------
>> From:  "WXR"<474745079@qq.com>;
>> Date:  Thu, Jun 27, 2013 06:01 PM
>> To:  "users"<users@cloudstack.apache.org>;
>> 
>> Subject:  Re: How to create a network offering without firewall?
>> 
>> 
>> 
>> I have added a egress rule like this:
>> Source CIDR    Protocol    Start Port    End Port 
>> 0.0.0.0/0         All            All                All
>> 
>> The vrouter vm can also access the Internet.
>> But the instance vm is still able to access the vrouter gateway ip and the Internet.
>> 
>> 
>> 
>> 
>> ------------------ Original ------------------
>> From:  "Murali Reddy"<Murali.Reddy@citrix.com>;
>> Date:  Thu, Jun 27, 2013 05:21 PM
>> To:  "users@cloudstack.apache.org"<users@cloudstack.apache.org>;
>> 
>> Subject:  Re: How to create a network offering without firewall?
>> 
>> 
>> 
>> 
>> Yes, egress firewall default action is 'BLOCK'. Here is a nice blog 
>> from Radhika 
>> http://writersopendiary.wordpress.com/2013/05/27/egress-firewall-rules
>> -in-a
>> pache-cloudstack/
>> 
>> On 27/06/13 2:21 PM, "WXR" <474745079@qq.com> wrote:
>> 
>>> By the way , when I select the default guestnetworkwithsourceNAT and 
>>> create an instance,the vm can not access to the Internet,is this a 
>>> default setting?how can I let the vm access the Internet?
>>> 
>>> 
>>> 
>>> 
>>> ------------------ Original ------------------
>>> From:  "Murali Reddy"<Murali.Reddy@citrix.com>;
>>> Date:  Thu, Jun 27, 2013 04:46 PM
>>> To:  "users@cloudstack.apache.org"<users@cloudstack.apache.org>;
>>> 
>>> Subject:  Re: How to create a network offering without firewall?
>>> 
>>> 
>>> 
>>> 
>>> Also, by default all the ports that will be used by edge services are 
>>> blocked by iptable config in the router VM templates. They needed to 
>>> be opened explicitly with firewall rules.
>>> 
>>> On 27/06/13 2:08 PM, "Jayapal Reddy Uradi" 
>>> <jayapalreddy.uradi@citrix.com>
>>> wrote:
>>> 
>>>> With out firewall provider you can't have sourceNAT and static NAT 
>>>> services because these services are provided by firewall provider only.
>>>> 
>>>> Thanks,
>>>> Jayapal
>>>> 
>>>> On 27-Jun-2013, at 1:35 PM, WXR <474745079@qq.com>
>>>> wrote:
>>>> 
>>>>> If I create a new network offering and check 
>>>>> dns,dhcp,userdata,sourceNAT,staticNAT,not check the firewall 
>>>>> service.But the firewall will be added into it automatically.
>>>>> I don't need the firewall service ,how can I create a network 
>>>>> offering without firewall?
>>>> 
>>>> 
>>> 
>>> 
>>> .
>> 
>> 
>> .
> 
> .


Mime
View raw message